Macrura

Password Protect Page

Recommended Posts

I have a client who is a record label and they need to have some pages for promoting albums, where there can be a password they give to a reviewer, so the reviewer can go to the URL, type in the password, and be able to view the content (which will be streaming audio and downloads of the album in question).

i have found some simple ways online to do this with PHp, but i'm wondering if there is a better/simple way to interact with PW session to achieve this.

The client doesn't want to have to add roles/users or deal with permissions...they just want to have an input field where they can put in the password for that album...

TIA,

Marc

Share this post


Link to post
Share on other sites

All the reviewers will have the same password for each album? Or each reviewer will have it's own password?

Share this post


Link to post
Share on other sites

All the reviewers will have the same password for each album? Or each reviewer will have it's own password?

Good question - another one could be whether the password should be time limited? So it will work for 48 hours then become obsolete, for example.

Share this post


Link to post
Share on other sites

It would be 1 password to access the album, everyone with the password would be able to access it;

this will be on a non search indexed subdomain of their main site, the links only given to the various press/reviewers.

after the promo period, they would unpublish the page, and we would use the redirects module to send incoming requests to a contact page;

Share this post


Link to post
Share on other sites

Did I understood right?

1 Page with only a Password form?

According to the password the user will be redirected to the common album?

How secure has the login to be?

I think the fastest way to achieve your needs would be a template with a input field -> site Password and the main content.

In the Template file you could do something like this:

<?php
// check for login before outputting markup
if($input->post->pass) {

 $pass = $input->post->pass;
 if($pass == $page->password_field) {
		 // login successful
		 $session->redirect($page->url);
 } else {
		 $session->login_error = 'Please check your Password';
 }
} ?>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>Login</title>
</head>
<body>
<? if($input->post->pass) {
	 echo "<div class='error'>				
" . $session->login_error . "
		 </div>";
	 }?>		
<form method="post" action="./" accept-charset="UTF-8">

<input type="password" id="pass" name="pass" placeholder="Password" required />
	 <button type="submit" name="submit" class="btn btn-success btn-block">Login</button>
</form>

</body>
</html>
<?
die(); // don't go any further if not logged in
} // end !logged in
?>

Share this post


Link to post
Share on other sites

Thanks Luis, I really appreciate your post - this looks like a very simple/elegant way to do this - i'll report back as soon as i have a chance to integrate this.

-marc

Share this post


Link to post
Share on other sites

Hi Luis,

I've almost got this working, the main issue now is that the code seems to loop, and also i was getting an error because of the unmatched brace on the } "// end !logged in" line... maybe that's why this is not working?

so after you click the login button, you keep getting back to the login page, i guess because since it is all on the same template?

I tried an alternate idea of having only the login code on the template and then including the markup code for the page, contingent on being logged in, which works;

but i'm not sure this is necessary - and with this method i can't figure out how to throw the wrong password error...

thanks again for your advice and the code!

-marc

Share this post


Link to post
Share on other sites

Hey Marc,

How did you implemented the code?

Sorry for the error, I didn´t tested the code just copy and pasted the snippet and edited it in the browser.

Well my thoughts where the following:

New Page called Albums. -> Status Hidden to exclude from search and nav.

Children of Albums are the Password protected pages.

New Template called Album. -> works as template for these children.

Album template contains the following fields:

password

body

images

the template file should look something like this:

<- Password / login code ->

<- normal page code like head, foot and your assigned fields ->

So you create a new child and enter your wished password in the assigned password field.

After entering the password you should have access to the page.

Share this post


Link to post
Share on other sites

Hi Luis,

this is my temporary solution - it works for now, but i'm thinking i should do this with a session variable so that if the user refreshes the page or navigates away, and comes back, they don't have to re-enter the password; Also i need to provide an error message... thanks again for your help; I'll see if i can improve my knowledge/use of the api with respect to $input and $session...

<?php
if($page->album_password) {

   $pass = $page->album_password;    
   if($input->post->pass != $pass) { ?>

   <!DOCTYPE html>
   <html>
   <head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <title>Login to view <?php echo $page->album_title ?></title>
   </head>
   <body>

       <form method="post" action="./" accept-charset="UTF-8">
           <input type="password" id="pass" name="pass" placeholder="" />
           <button type="submit" name="submit" class="btn btn-success btn-block">Login</button>
       </form>

   </body>
   </html>

   <? } else {
   include("./inc/album.inc");
   }

   } else {
   include("./inc/album.inc");
   }
?>

Share this post


Link to post
Share on other sites

Should be fairly easy to add session support.

if($input->post->pass) $session->pass = $input->post->pass; 
if($page->album_password && $session->pass !== $page->album_password) {
 $page->body = $input->post->pass ? '<h3>Invalid Password</h3>' : '';
 $page->body .= file_get_contents("./inc/login-form.inc"); 
 include("./basic-page.php"); 
} else {
 include("./album.inc"); 
}
  • Like 2

Share this post


Link to post
Share on other sites

im also implementing pages protected only by a a password. The code here works, but like this the password isn't using any encryption. I tried to define the field as a password, and like this make it encrypted. But i dont know how to compare with the user input

i tried this, where password_salt is a password field for this page:

// this works: i got the input from the form password field
$pw2= $input->pass;
echo "<br />bd: " . $pw2;

// here i got the: Error: Exception: Method Password::match does not exist or is not callable in this context 
$pw3= $page->password_salt->match($pw2);
echo "<br />password_salt: " . $pw3;

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By anttila
      We are developing an App that sends data over the Internet to ProcessWire (POST/JSON). We want password to be protected somehow when sending it, but I should be able to compare it to PW's passwords. We were thinking of using md5 encryption, but PW uses different encryption.
      How can I be sure that user has active account when they use the App?
    • By flydev
      Presentation
      Originaly developped by Jeff Starr, Blackhole is a security plugin which trap bad bots, crawlers and spiders in a virtual black hole.
      Once the bots (or any virtual user!) visit the black hole page, they are blocked and denied access for your entire site.
      This helps to keep nonsense spammers, scrapers, scanners, and other malicious hacking tools away from your site, so you can save precious server resources and bandwith for your good visitors.
       
      How It Works
      You add a rule to your robots.txt that instructs bots to stay away. Good bots will obey the rule, but bad bots will ignore it and follow the link... right into the black hole trap. Once trapped, bad bots are blocked and denied access to your entire site.

      The main benefits of Blackhole include:
       Bots have one chance to obey your site’s robots.txt rules. Failure to comply results in immediate banishment.
       
      Features
      Disable Blackhole for logged in users Optionally redirect all logged-in users Send alert email message Customize email message Choose a custom warning message for bad bots Show a WHOIS Lookup informations Choose a custom blocked message for bad bots Choose a custom HTTP Status Code for blocked bots Choose which bots are whitelisted or not  
      Instructions
      Install the module Create a new page and assign to this page the template "blackhole" Create a new template file "blackhole.php" and call the module $modules->get('Blackhole')->blackhole(); Add the rule to your robot.txt Call the module from your home.php template $modules->get('Blackhole')->blackhole();  Bye bye bad bots!

      Downloads
      https://github.com/flydev-fr/Blackhole http://modules.processwire.com/modules/blackhole/  
      Screen

       

       Enjoy
    • By Robin S
      Password Generator
      Adds a password generator to InputfieldPassword.

       
      Usage
      Install the Password Generator module.
      Now any InputfieldPassword has a password generation feature. The settings for the generator are taken automatically from the settings* of the password field.
      *Settings not supported by the generator:
      Complexify: but generated passwords should still satisfy complexify settings in the recommended range. Banned words: but the generated passwords are random strings so actual words are unlikely to occur.  
      https://modules.processwire.com/modules/password-generator/
      https://github.com/Toutouwai/PasswordGenerator
    • By FireDaemon
      Hi all,
      Apologies if this has been asked in the past. We have a test site setup and running on HTTPS with redirect from HTTP. The site is protected from DDoS and arbitrary malicious attack by CloudFlare. From what I can see the administrative login page is still vulnerable to dictionary attacks. Clearly disabling the admin account and the use of strong passwords are two methods to minimise the success of such attacks. Questions:
      1. Is it possible to rename the /processwire URL?
      2. Is there any two factor support out there? I've checked out Duo and Okta, however PW is not supported?
      3. Is there anyway to add CAPTCHA or second factor security questions to the login process?
      4. Is there any form of anti-hammer available? For example, repeated failed login attempts from the same source are blocked for a period of time after a finite number of failures?
      Any other suggestions gratefully appreciated.
    • By fbg13
      The 2018 Guide to Building Secure PHP Software